lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Oct 2017 21:50:56 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Adrian Salido <salidoa@...gle.com>, Benson Leung <bleung@...omium.org>, Guenter Roeck <groeck@...omium.org>, Dmitry Torokhov <dmitry.torokhov@...il.com>, Jiri Kosina <jkosina@...e.cz> Subject: [PATCH 4.9 085/105] HID: i2c-hid: allocate hid buffers for real worst case 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Adrian Salido <salidoa@...gle.com> commit 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b upstream. The buffer allocation is not currently accounting for an extra byte for the report id. This can cause an out of bounds access in function i2c_hid_set_or_send_report() with reportID > 15. Signed-off-by: Adrian Salido <salidoa@...gle.com> Reviewed-by: Benson Leung <bleung@...omium.org> Signed-off-by: Guenter Roeck <groeck@...omium.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@...il.com> Signed-off-by: Jiri Kosina <jkosina@...e.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- drivers/hid/i2c-hid/i2c-hid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -604,7 +604,8 @@ static int i2c_hid_alloc_buffers(struct { /* the worst case is computed from the set_report command with a * reportID > 15 and the maximum report length */ - int args_len = sizeof(__u8) + /* optional ReportID byte */ + int args_len = sizeof(__u8) + /* ReportID */ + sizeof(__u8) + /* optional ReportID byte */ sizeof(__u16) + /* data register */ sizeof(__u16) + /* size of the report */ report_size; /* report */
Powered by blists - more mailing lists